W32/Calil-A

Discussion in 'malware problems & news' started by FanJ, Jul 8, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Calil-A
    Aliases: W32/Lilac.A@mm, WORM_LIAC.A
    Type: Win32 worm
    Date: 8 July 2002


    At the time of writing Sophos has received just one report of
    this worm from the wild.

    Description
    W32/Calil-A is an email worm which uses Microsoft Outlook to spread. The
    worm arrives in an email with the following characteristics:

    Subject line: FW: FW: LILAC project video attached
    Message text: Things that the govt. dont want you to know
    Attachment name: LILAC_WHAT_A_WONDERFULNAME.avi.exe.

    The icon of the attached file is identical to the icon of an AVI sound file.

    If the attachment is opened from Microsoft Outlook the worm runs and displays the fake error message "Error54:Media Player not installed correctly".

    The worm then sends itself to all contacts found in the Windows address book.

    W32/Calil-A adds or changes several registry entries. It adds the registry entry \HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Lilac so that the worm file runs during the Windows startup sequence.

    As a payload W32/Calil-A adds the registry entries

    \HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption
    and
    \HKLM\Software\Windows\Current\Version\Winlogon\LegalNoticeText

    so that the message box "Owned by xEnOcrAtEs" is displayed before the log-on dialog.


    More information about W32/Calil-A can be found at
    http://www.sophos.com/virusinfo/analyses/w32calila.html
     
Thread Status:
Not open for further replies.